Dependency had malicious-release incident (last 90d)

dYdX v4 (dYdX Chain)'s assessment for RD-F-134 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

The Feb 2026 npm/PyPI compromise targeted @dydxprotocol/v4-client-js and dydx-v4-client Python packages — client SDK packages, NOT Go module dependencies of the v4-chain binary. Source explicitly confirms on-chain Go binary unaffected: the versions of dydx-v4-clients hosted in the dydxprotocol Github do not contain the malware. No malicious-release advisory affecting the Go dependency tree in trailing 90 days.

Sources #

URL
Malicious dYdX Packages — Socket Security Blog (Feb 2026)Socket blog on dYdX npm/PyPI compromiseretrieved 2026-05-17
URL
Compromised dYdX npm and PyPI Packages — HackerNews (Feb 2026)HackerNews dYdX supply chain articleretrieved 2026-05-17

Methodology #

Determine whether any npm/PyPI/crates.io dependency of this protocol had a flagged malicious release in the trailing 90 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol dydx-v4 factor RD-F-134 score green collected_at 2026-05-17 09:58:47